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DETAILED ACTION 

Response to Amendment 

Applicant's submission filed on 11/14/2006 has been entered. Claims 1, 4-5, 10, 13-15 
and 20 have been amended. Claims 1-20 are pending in the application. 

Response to A rguments 
Applicant's arguments filed November 14, 2006 have been fully considered but are moot 
in view of the new ground(s) of rejection set forth below. 

As address below, the claim 1 is anticipated by S. Ma, et al., "EventMiner: An 
integrated mining tool for Scalable Analysis of Event Data", May 21, 2001, 
www.research.ibm.com , in view of D. Kranzlmuller, S. Gradbner, J. Volkert, "Event graph 
visualization for debugging large applications", Proc. of the SIGMETRICS symposium on 
Parallel and distributed tools, Philadelphia, PA, United States, Pages: 108 - 117 (hereinafter 
Kranzlmuller). 

The cited prior art Ma reference teaches in Fig. 7 and the last paragraph of the Page 12 
plotting the primary attribute (e.g., with the attribute values indicating the troublesome hosts 
having significantly high event counts) versus time with the attribute values for events in a 
communication network and the primary attribute is selected from a plurality of attributes related 
to the one or more significant measurements such as the co-occurrences (i.e., the total number of 
times that two hosts generate events within a predefined time window), the conditional 
probability of the two hosts (i.e., the probability of a host generating an event given the 
observation that the other host has generated an event), the chi-squared test and so on. Moreover, 
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the Fig. 4 shows the coloring of the events having the seconary attribute with the patterns 
indicating the authentication failure and SNMP request in order to differentiate using the 
coloring the events with authentication failure from other events. A pattern label is assigned to 
the events falling into the same pattern. Finally, the operator can view different event attributes 
by switching menus (Fig. 6). 

Ma has taught in Fig. 7 and the last paragraph of the Page 12 plotting the primary 
attribute (e.g., with the attribute values indicating the troublesome hosts having significantly high 
event counts) versus time with the attribute values for events in a communication network. Ma 
has also taught a plurality of attributes related to the one or more significant measurements such 
as the co-occurrences (i.e., the total number of times that two hosts generate events within a 
predefined time window), the conditional probability of the two hosts (i.e., the probability of a 
host generating an event given the observation that the other host has generated an event), the 
chi-squared test and so on wherein the attribute values are plotted in the same plot. It is clear that 
Ma discloses attributes including categorical attributes of the hosts, event types, severity of the 
events, etc. See Figs. 2, 6, 7 and 9. 

In Ma many significant event patterns are simultaneously identified within a single plot 
without the operator's switching between the various event attributes. 

Ma discloses display label to the events such as "Link down of host A", "node down of 
host B", "authentication failure of host A", etc., including the colors for coloring the different 
patterns that indicate the attribute values of the primary attribute such as the co-occurrences of 
some specific events within a predefined time window. 
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Ma discloses a secondary display label including the colors for coloring the different 
patterns for the events in the communication network that indicate the attribute values of the 
primary attribute such as the co-occurrences of some specific events within a predefined time 
window. 

Ma teaches in Fig. 5(b) displays two different attributes for the events: Figs. 2 and 4 
show v-axis is the host name attribute as well as the coloring of attribute such as "authentication 
failure " events in red and "SNMP request events in zreen; therefore, at least two event 
attributes such as host name, authentication failure, SNMP request have been simultaneously 
monitored in the plot of Figs. 2 and 4 . The menu options shown in Fig. 6 allow for the y-axis 
attribute mappings be changed. Moreover, Ma teaches mapping a plurality of attributes to item 
and viewing both numerical attribute and categorical attribute on a same plot in Fig. 7 (See Page 
10). Thus, Ma at least teaches or suggests the claim limitation of viewing a secondary attribute of 
said each event together with the primary attribute on said display. 

Ma is silent to "automatically generating a large variety of visualizations along other 
attribute axes, and identifying correlations by superimposing and cross-referencing these 
visualizations." 

However, Kranzlmuller teaches the claim limitation of "automatically generating a large 
variety of visualizations along other attribute axes, and identifying correlations by superimposing 
and cross-referencing these visualizations." 

Kranzlmuller teaches automatically generating a large variety of visualizations (P0- 
P7) along the other attribute axes (See Kranzlmuller Page 109 and Figs. 1-2 showing the 
arrangement of the axes applied to the visualization of the event graph wherein a plurality of 
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visualizations for dimensions P0-P7 are superimposed in the event graph) and identifying 
correlations (such as the inter-process dependencies between processes among the event 
visualizations wherein dependencies among the processes mean correlations among the 
processes in the event visualizations) by superimposing {the processes! dimensions P0-P7 are 
superimposed vertically wherein the events belonging to the dimensions P0-P7 are plotted with 
the attribute values of the events or dimension values being allocated to each of the 
processes/dimensions P0-P7 and the attribute values for example are the colors which are 
changed to indicate the state of the process in the value range of {active, idle, blocked}; see 
Page 109 and therefore they-axis presents the attribute values allocated to each of the 
processes/dimensions P0-P7) and cross-referencing (e.g., the inter-process dependencies 
between processes, e.g., directed edges between vertices are either communication or 
sequential program flow and the events Al andAl occur in process P0, Event B1-B3 occurs 
in process PI. In process 1 the event Bl has the attribute of being the send event and Al has 
the attribute of being the receive event. The send event Bl and the receive event Al is 
connected through a directed arc in the graph. The process axis is arranged vertically) these 
visualizations. 

Kranzlmuller teaches viewing a plurality of attributes P0-P7 for the visualizations of 
the events in a communication network. Kranzlmuller teaches viewing a secondary 
categorical attribute (e.g., an event belonging to the category P0) of said each event 
together with the primary categorical attribute (e.g., an event belonging to the category PI) 
on said display (See Page 109, Fig. 2). 
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It would have been obvious to one of the ordinary skill in the art at the time the invention 
was made to have incorporated Kranzlmuller's teaching into Ma to view a plurality of attributes 
related to the events on the same display because Ma at least suggests the claim limitation of 
viewing a secondary attribute of said each event together with the primary attribute on said 
display at least by the means of mapping of the secondary attribute and coloring the secondary 
attribute and therefore the secondary attribute and the primary attribute are distinctly viewed ( See 
Figs. 2 and 4 of Ma wherein a plurality of secondary attributes are colored so as to be viewed. 
Although the menu options are used in Fig. 6 of Ma to switch the primary attribute to the 
another attribute, the secondary attribute can be viewed by the coloring mechanism as disclosed 
and can be further queried and displayed in different plots on the same display ). 

One of the ordinary skill in the art would have been motivated to do so such that the 
inter-process dependency among events and event categorical attributes are visualized 
(Kranzlmuller Page 109). 

Claim Rejections - 35 USC § 101 
35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

Claim 10: 

Claim 10 recites "computer readable program on tangible computer media". The claimed 
tangible computer media is not necessarily a computer readable medium. The claimed computer 
readable program is not necessarily computer executable instructions. There is no structural and 
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functional interrelationship between the instructions and the rest of the computer to permit the 
instructions' functionality to be realized. Claim 10 is, thus, non-statutory. 



Claim 11: 

Claim 1 1 recites "a computer program on a computer readable medium containing a 
program code to carry out all steps of the method of claim 1". The claimed computer program is 
not necessarily computer executable instructions. There is no structural and functional 
interrelationship between the instructions and the rest of the computer to permit the instructions' 
functionality to be realized by the computer. Claim 11 is, thus, non-statutory. 

Claim Rejections - 35 USC § 112 
The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of making 
and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it 
pertains, or with which it is most nearly connected, to make and use the same and shall set forth the best mode 
contemplated by the inventor of carrying out his invention. 

Claims 1-20 are rejected under 35 U.S.C. 112, first paragraph, as failing to comply with 
the written description requirement. The claim(s) contains subject matter which was not 
described in the specification in such a way as to reasonably convey to one skilled in the relevant 
art that the inventor(s), at the time the application was filed, had possession of the claimed 



invention. 
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For example, the claim 1 recites "automatically generating a large variety of 
visualizations along other attribute axes, and identifying correlations by superimposing and 
cross-referencing these visualizations." 

By the claim limitations, the visualizations are generated along other attribute axes. 
However, lines 7-11 of the claim 1 refer the x-axis and y-axis as attribute axes. It is understood 
from the claim limitations set forth in the claim 1 that other attribute axes as claimed are the axes 
other than the x-axis and y-axis. See also Fig. 1 of applicant's specification. However, the axes 
as claimed other than the x-axis and y-axis set forth in lines 7-11 of the claim are not disclosed in 
applicant's specification. The applicant's specification (e.g., Fig. 1) shows that the visualizations 
are superimposed and cross-referenced along the y-axis with respect to the x-axis. There are no 
other axes involved in these visualizations. Therefore, the metes and bounds of the coverage of at 
least base claim 1 cannot be ascertained. 

To comply with the "written description" requirement of 35 U.S.C. 1 1 2, first paragraph, 
an applicant must convey with reasonable clarity to those skilled in the art that, as of the filling 
date sought, he or she was in possession of the invention. The invention is, for purposes of the 
"written description" inquiry, whatever is now claimed. Vas-Cath, Inc. v. Mahurkar, 935 F.2d 
1555, 1563-64, 19 USPQ2d 1111, 1117 (Fed. Cir. 1991). For purposes of written description, 
one shows "possession" by descriptive means such as words, structures, figures, diagrams, and 
formulas that fully set forth the claimed invention. Lockwood v. American Airlines, Inc., 107 
F.3d 1565, 1572, 41 USPQ2d 1961, 1966 (Fed. Cir. 1997). Such descriptive means cannot be 
found in the disclosure for the inventions of the claim 1. 
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The claims 1-13, and 15-19 depend upon the claim 1 and are rejected due to their 
dependency on the claim 1. 

The claims 14 and 20 are subject to the same rationale of rejection set forth in the claim 

1. 

Claim Rejections - 35 USC § 112 
The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

Claim 14 is rejected under 35 U.S.C. 112, second paragraph, as being indefinite for 
failing to particularly point out and distinctly claim the subject matter which applicant regards as 
the invention. 

Claim 14 recites the limitation "the machine" in line 2 of the claim. There is insufficient 
antecedent basis for this limitation in the claim. 

Claim Rejections - 35 USC § 103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

Claims 1-20 are rejected under 35 U.S.C. 103(a) as being unpatentable over S. Ma, et al., 
"EventMiner: An integrated mining tool for Scalable Analysis of Event Data", May 21, 2001, 
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www.research.ibm.com in view of D. Kranzlmuller, S. Gradbner, J. Volkert, "Event graph 
visualization for debugging large applications", Proc. of the SIGMETRICS symposium on 
Parallel and distributed tools, Philadelphia, PA, United States, Pages: 108 - 117 (hereinafter 
Kranzlmuller). 

Claim 1: 

Ma teaches a method of monitoring events in a computer network, the method 
comprising: 

Said computer network triggering said events, each event being provided with attribute 
values allocated to a given set of attributes of said each event ( The term "attributes " are not 
clear as it may be related to the data object attributes for each event or the pattern attributes for 
each pattern for a plurality of data objects : However, the pattern attributes for a plurality of 
data objects are also related to the data object attributes as a pattern is computed from the 
plurality of data objects. The cited reference teach mapping a plurality of data attributes to item 
to identify correlations across different hosts and event types by using the mapping that maps the 
pair of event type and host name to item and leaves key empty. See Page 11. Moreover, the cited 
reference in Page 1, second paragraph, explicitly teaches the attribute values, see the last 
paragraph of Page 6 and the first and second paragraphs of Page 8, the last paragraph of Page 
12, and the real data set collected from a production computer network containing thousands of 
managed nodes including routers, hubs and servers are described in the last paragraph of page 
3 and identifying unknown event patterns that can be used for real-time monitoring is described 
in the second paragraph of page 3. Ma has also taught a plurality of pattern attributes related to 
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the one or more significant measurements such as the co-occurrences, i.e., the total number of 
times that two hosts generate events within a predefined time window, the conditional probability 
of the two hosts, i.e., the probability of a host generating an event given the observation that the 
other host has generated an event, the chi-squared test and so on); 

Simultaneously monitoring various event attributes versus the arrival time of said events 
( e.g.. Fig. 5(b) displays two different attributes for the events; Figs. 2 and 4 show v-axis is the 
host name attribute as well as the coloring of attribute such as "authentication failure " events in 
red and "SNMP request events in green; therefore, at least two event attributes such as host 
name, authentication failure, SNMP request have been simultaneously monitored in the plot of 
Figs. 2 and 4 ): 

Providing an event display with a cross plot having x and y coordinate axes, the x-axis 
presenting a time period and the y-axis present an attribute value range (e.g., The cited reference 
teach mapping a plurality of data attributes to item to identify correlations across different hosts 
and event types by using the mapping that maps the pair of event type and host name to item and 
leaves key empty. See Page 11. Figs. 2, 4, 6, 7, 9 and the third paragraph of Page 8 describes a 
scatter plot or cross plot having an y-axis representing around 160 hosts of a communication 
network and the x axis has been described in the figures as well as the first paragraph of page 6; 
for attribute value range, see these figures as well as the description in the second paragraph of 
Page 8); 

Determining a primary attribute of the events selected from the given set of attributes to 
be presented with its attribute values on the y-axis of the cross plot (e.g., The cited reference 
teach mapping a plurality of data attributes to item to identify correlations across different hosts 



Application/Control Number: 10/798,070 Page 12 

Art Unit: 2628 

and event types by using the mapping that maps the pair of event type and host name to item and 
leaves key empty. The attributes including the categorical attributes or temporal attributes and 
the primary attribute values are displayed in Figs. 2, 4, 6 and 7 and multiple attributes are 
described in the last paragraphs of Page 11 and 12), 

Allocating a first display label {e.g., one of the colors indicating the patterns such as the 
Pattern 1 } Pattern 2, Pattern 3 and Pattern 4 as marked in the scatter plot or the cross plot of 
Figs. 2, 6, 7 and 9 such as "Link down of host A " and "node down of host B") to the events 
(e.g., alarms in Page 10) indicating (mapping of the attributes wherein the mapping results are 
shown in the plots with the patterns identifying/indicating the attribute values of the primary 
attribute related to the categorical attribute such as the host A or the host B. Moreover, the 
pattern attribute values identifying the pattern 1 and the pattern 2 also describe the primary 
attribute such as the host A and the host B for the patterns such as "Link down of host A " and 
"node down of host B") the attribute values of the primary attribute (e.g., co-occurrence of 
certain events or the categorical attribute and event type associated with the events wherein the 
primary attribute is related to the primary attribute of the data set or the primary attribute of the 
patterns; See Page 12 and the key attribute values are described in the second paragraph of 
page 3), providing a pattern algorithm (the pattern algorithm is described in Fig. 7 as well as the 
mining algorithm as described in the last paragraph of page 12 or the EventMiner for ordering 
categorical values wherein the event generating, say every 300 seconds, may be identified) to 
detect whether an arrived event (arrived event are the selected event objects or the selected data 
objects in a specific time range related to the events progressively loaded from a database or the 
mining alarm logs in a real time system; see first paragraph of page 13 and the last paragraph 
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of page 10 and a new query that retrieves the relevant data objects for more analysis in which a 
new query is restricted to a range constraint for a numerical attribute; see the last paragraph of 
page 10) is part of the given pattern (is part of the given pattern such as the Pattern 1 or the 
Pattern 2 from the identifiable patterns such as the SNMP request, authentication failure, link 
up, link down, port up, port down wherein authentication failure indicates a possible security 
intrusion and link down of host A indicates the attribute associated with the data objects as 
well as the attribute associated with the event ) on the basis of a comparison of the attributes 
allocated to the given pattern and of the attributes assigned to the arrived event (e.g., the co- 
occurrence measurements for events can be computed for the data sets or the data objects and 
the temporal correlation with the selected hosts from the other side of the AttributeViewer can be 
identified using the color linkage by the coloring and filtering algorithm or the data mining 
algorithm in which the difference or similarity in terms of patterns indicated by colors is 
compared; see page 12-13), providing a mapping algorithm to map any attribute value of an 
attribute selected from the given set of attributes onto the y-axis of the cross plot (see the last 
paragraphs of Page 11-12; The cited reference teach mapping a plurality of data attributes to 
item to identify correlations across different hosts and event types by using the mapping that 
maps the pair of event type and host name to item and leaves key empty.), 

Allocating a second display label (e.g., one of the colors indicating the patterns such as 
the Pattern 1, Pattern 2, Pattern 3 and Pattern 4 as marked in the scatter plot or the cross plot of 
Figs. 2, 6, 7; SNMP request, authentication failure, link up, link down, port up, port down 
wherein authentication failure indicates a possible security intrusion may be used as display 
labels as well. The attribute values may be used as display labels as well) to the events indicating 
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the attribute values of the attributes being uncovered (discovered) as part of the given pattern 
(e.g., the co-occurrence measurements for events can be computed and the temporal correlation 
with the selected hosts from the other side of the AttributeViewer can be identified using the 
color linkage by the coloring and filtering algorithm or the data mining algorithm in which the 
difference or similarity in terms of patterns indicated by colors is compared; see page 12-13; the 
display labels indicate the attribute values of the attributes being discovered as part of the given 
pattern, for example, the second host was near a critical level for a key metric indicates the 
attribute values of the attributes being discovered as part of the given pattern), plotting all the 
events arrived within the time period and including an attribute value allocated to the primary 
attribute into the cross plot with the first display label indicating the primary attribute, the 
position of the first display label of each event in the cross plot being determined on the basis of 
the attribute value of the primary attribute of the event and its arrival time (e.g., The cited 
reference teach mapping a plurality of data attributes to item to identify correlations across 
different hosts and event types by using the mapping that maps the pair of event type and host 
name to item and leaves key empty. Figs. 2, 4, 6, and 7 and the related paragraphs mentioned 
above in "allocating a first display label", e.g., one of the colors indicating the patterns such as 
the Pattern 1, Pattern 2, Pattern 3 and Pattern 4 as marked in the scatter plot or the cross plot of 
Figs. 2, 6, 7; SNMP request, authentication failure, link up, link down, port up, port down 
wherein authentication failure indicates a possible security intrusion may be used as display 
labels as well. The attribute values may be used as display labels as well), and 

Plotting the all events arrived within the time period (Figs. 2, 4, 6, and 7 plot the all 
events within a specific time range) and being detected by means of the pattern algorithm (by the 
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event miner algorithm) as part of the given pattern into the cross plot with the second display 
label (e.g., one of the colors indicating the patterns such as the Pattern 1, Pattern 2, Pattern 3 
and Pattern 4 as marked in the scatter plot or the cross plot of Figs. 2, 6, 7 and 9 or Pattern 2 or 
the Green Spike in Fig. 10), the position of the second display label of each event in the cross 
plot being determined by the mapping algorithm on the basis of the attribute value of the 
attribute of the event (see Figs. 1-10) on the basis of the attribute value of the attribute of the 
event being uncovered (uncovered for example in the alarm log and uncovered by the mining 
algorithm) as part of the given pattern and its arrival time (discovered as part of the given 
pattern such as Patterns 1-4 and its arrival time; all the selected events are in a specific time 
range as plotted in Figs. 2, 4, 6, 7 and 10). 

In other words, Ma discloses an apparatus and system for monitoring events in a 
computer network enabling an operator of an intrusion-detection system to simultaneously 
monitor various event attributes versus the arrival time of the events, for example, authentication 
failure indicates a possible security intrusion may be used as display labels. The cited prior art 
teaches in Fig. 7 and the last paragraph of the Page 12 plotting the primary attribute (e.g., with 
the attribute values indicating the troublesome hosts having significantly high event counts) 
versus time with the attribute values for events in a communication network and the primary 
attribute for a host is selected from a plurality of attributes related to the categorical values, the 
one or more significant measurements such as the co-occurrences (i.e., the total number of times 
that two hosts generate events within a predefined time window), the conditional probability of 
the two hosts (i.e., the probability of a host generating an event given the observation that the 
other host has generated an event), the chi-squared test and so on. 



Application/Control Number: 10/798,070 Page 16 

Art Unit: 2628 

Fig. 4 shows the coloring of the events having the primary attribute with the patterns 
indicating the authentication failure and SNMP request in order to differentiate using the 
coloring the events with authentication failure from other events. A pattern label is assigned to 
the events falling into the same pattern. Finally, the operator can view different event attributes 
by switching menus (Fig. 6). 

Ma has taught in Fig. 7 and the last paragraph of the Page 12 plotting the primary 
attribute (e.g., with the attribute values indicating the troublesome hosts having significantly high 
event counts) versus time with the attribute values for events in a communication network. Ma 
has also taught a plurality of attributes related to the one or more significant measurements such 
as the co-occurrences (i.e., the total number of times that two hosts generate events within a 
predefined time window), the conditional probability of the two hosts (i.e., the probability of a 
host generating an event given the observation that the other host has generated an event), the 
chi-squared test and so on wherein the attribute values are plotted in the same plot. See Figs. 2, 6, 
7 and 9. Many significant event patterns are simultaneously identified within a single plot 
without the operator's switching between the various event attributes. 

Ma discloses display label including the colors for coloring the different patterns that 
indicate the attribute values of the primary attribute such as the co-occurrences of some specific 
events within a predefined time window. 

Ma teaches in Fig. 5(b) displays two different attributes for the events: Figs. 2 and 4 
show y-axis is the host name attribute as well as the coloring of attribute such as "authentication 
failure " events in red and 'SNMP request events in green; therefore, at least two event 
attributes such as host name, authentication failure, SNMP request have been simultaneously 
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monitored in the plot of Figs, 2 and 4 . The menu options shown in Fig. 6 allow for the y-axis 
attribute mappings be changed. Moreover, Ma teaches mapping a plurality of attributes to item 
and viewing both numerical attribute and categorical attribute on a same plot in Fig. 7 (See Page 
10). Thus, Ma at least teaches or suggests the claim limitation of viewing a secondary attribute of 
said each event together with the primary attribute on said display. 

Ma is silent to "automatically generating a large variety of visualizations along other 
attribute axes, and identifying correlations by superimposing and cross-referencing these 
visualizations." 

However, Kranzlmuller teaches the claim limitation of "automatically generating a large 
variety of visualizations along other attribute axes, and identifying correlations by superimposing 
and cross-referencing these visualizations." 

Kranzlmuller teaches automatically generating a large variety of visualizations (P0-P7) 
along the other attribute axes (See Kranzlmuller Page 109 and Figs, 1-2 showing the 
arrangement of the axes applied to the visualization of the event graph wherein a plurality of 
visualizations for dimensions P0-P7 are superimposed in the event graph) and identifying 
correlations (such as the inter-process dependencies between processes among the event 
visualizations wherein dependencies among the processes mean correlations among the 
processes in the event visualizations) by superimposing (the processes I dimensions P0-P7 are 
superimposed vertically wherein the events belonging to the dimensions P0-P7 are plotted with 
the attribute values of the events or dimension values being allocated to each of the 
processes! dimensions P0-P7 and the attribute values for example are the colors which are 
changed to indicate the state of the process in the value range of {active, idle, blocked}; see 
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Page 109 and therefore they-axis presents the attribute values allocated to each of the 
processes! dimensions P0-P7) and cross-referencing {e.g., the inter-process dependencies 
between processes, e.g., directed edges between vertices are either communication or sequential 
program flow and the events Al andAl occur in process P0, Event B1-B3 occurs in process PL 
In process 1 the event Bl has the attribute of being the send event and Al has the attribute of 
being the receive event. The send event Bl and the receive event Al is connected through a 
directed arc in the graph. The process axis is arranged vertically) these visualizations. 

Kranzlmuller teaches viewing a plurality of attributes P0-P7 for the visualizations of the 
events in a communication network. Kranzlmuller teaches viewing a secondary categorical 
attribute (e.g., an event belonging to the category P0) of said each event together with the 
primary categorical attribute (e.g., an event belonging to the category PI) on said display (See 
Page 109, Fig. 2). 

It would have been obvious to one of the ordinary skill in the art at the time the invention 
was made to have incorporated Kranzlmuller' s teaching into Ma to view a plurality of attributes 
related to the events on the same display because Ma at least suggests the claim limitation of 
viewing a secondary attribute of said each event together with the primary attribute on said 
display at least by the means of mapping of the secondary attribute and coloring the secondary 
attribute and therefore the secondary attribute and the primary attribute are distinctly viewed ( See 
Figs. 2 and 4 of Ma wherein a plurality of secondary attributes are colored so as to be viewed. 
Although the menu options are used in Fig. 6 of Ma to switch the primary attribute to the 
another attribute, the secondary attribute can be viewed by the coloring mechanism as disclosed 
and can be further queried and displayed in different plots on the same display ). 
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One of the ordinary skill in the art would have been motivated to do so such that the 
inter-process dependency among events and event categorical attributes are visualized 
(Kranzlmuller Page 109). 

Re Claims 2-3: 

Ma further discloses selecting the new events within the specified time period and 
plotting the new events within the shifted time period into the cross plot. See Figs. 6, 7, 9 and 10 
in which events in the two time periods are drawn and the spikes are identified and the newly 
selected events are redrawn as determined by the data mining algorithm for the time period 
during which the new events are retrieved. The database records the attribute values and the 
arrival time of a new event. The pattern algorithm determines on the basis of the recorded 
attribute values of event whether or not the newly arrived event in the database and the newly 
retrieved event from the database includes an attribute value of the primary attribute, for a certain 
host and event type, as determined the pattern algorithm using the mapping mechanism for 
mapping a plurality of attributes including the primary attribute into an item for presentation, and 
the pattern algorithm also determines if the newly arrived event, e.g., alarm, includes the 
attribute value for the primary attribute, e.g., a certain host or a certain event type including 
SNMP request, authentication failure, link up, link down, port up, port down, link down of host 
A, node down of host B eta, shifting the x-axis of the cross plot for the new time period so that 
the new time period being presented on the x-axis covers the arrival time of the event and 
plotting the event arrived within the shifted time period into the cross plot with the first display 
label indicating the primary attribute. 
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Ma discloses determining on the basis of the recorded attribute values of event from the 
alarm log or the database whether or not the newly arrived event for the new time period is part 
of the given pattern using the pattern algorithm on the basis of a comparison of the attributes 
allocated to the given pattern, for example a composite pattern of Page 13, on the basis of a 
comparison analysis, and of the attribute assigned to the arrived event wherein the newly arrived 
event are determined by the retrieval time ranges and data ranges including the host names and 
types from the database. Ma further discloses determining if the newly arrived event includes an 
attribute value of the given pattern including the mutual dependence measurement of an m- 
pattern adding the event to the previous events being detected as part of the given pattern, and 
redrawing all the events being associated with given pattern in the cross plot by updating the 
cross plot. 

Re Claims 4-5: 

Ma further discloses the third display label and the fourth display label indicating the new 
patterns (See the three colored spikes in Fig. 6 and the four patterns in Fig. 7). 

Ma discloses determining if the newly arrived event does not include an attribute value of 
the given pattern, on the basis of the recorded attribute values of all previous arrived events from 
the alarm logs or from the database, by means of the mining algorithm whether or not the newly 
arrived event is part of a new pattern on the basis of a comparison (Page 13) of the attributes 
allocated to the new pattern and of the attributes assigned to the arrived events. Ma discloses 
allocating a third display label to the events, including the coloring of the new pattern, indicating 
the attribute values of the attributes being discovered as part of the new pattern wherein a large 
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amount of patterns can be discovered by the mining algorithms. Ma discloses plotting the all 
events being detected by means of the mining algorithm as part of the new pattern into the cross 
plot with the third display label indicating the new pattern, the position of the third display label 
of each event in the cross plot being determined by the mapping algorithm (Page 12 for the 
mapping of the attributes into item and thereby determining the positions of the patterns on the 
cross plot) on the basis of the attribute value of the attribute of the event (event types, host names 
etc) being uncovered as part of the new pattern, such as SNMP request, authentication failure, 
link up, link down, port up, port down, link down of host A, node down of host B etc, and its 
arrival time in the database. 

Ma discloses removing all the events including an attribute value allocated to the primary 
attribute from the cross plot, if a primary attribute to be presented with its attribute values on the 
y-axis of the cross plot is changed (if the mapping mechanism for mapping a plurality of 
attributes including the host names and event types are changed), allocating a fourth display label 
including SNMP request, authentication failure, linkup, link down, port up, port down, link 
down of host A, node down of host B etc, to the events indicating the attribute values of the new 
primary attribute (e.g., category attribute, event type of data objects). Ma discloses plotting all 
the events arrived within the time period as retrieved from the database and including an attribute 
value allocated to the new primary attribute into the cross plot with the fourth display label, 
including SNMP request, authentication failure, link up, link down, port up, port down, link 
down of host A, node down of host B etc, indicating the new primary attribute, such as the host 
name and event type, the position of the fourth display label of each event in the cross plot being 
determined by the mapping mechanism in Page 12 on the basis of the attribute value of the 
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primary attribute of the event and its arrival time as determined by the retrieval condition from 
the database. 

Re Claim 6: 

Ma further discloses the operator selects the events to be plotted and displaying textual 
and coloring information associated with the selected events on the event display (Page 4 and 
Figs. 6, 7, 9-10). 

Ma discloses plotting all attribute values, including the attributes such as event type, link 
down, and host name, host A, in the patterns marked as the link down of host A, node down of 
host B, recorded for an event, as retrieved from the database, with the respective display label 
into the cross plot if the event is selected by an operator and displaying textual information 
associated with the selected event on the event display. 

Re Claim 7: 

Ma further discloses a pattern algorithm such as the data mining algorithm suitable to 
perform multi-attribute pattern recognition (Figs. 6, 7, 9-10). 

Ma discloses the mining algorithm being suitable to perform multi-attribute pattern 
recognition using the mapping mechanism (Page 12) and the pattern comparisons/matching 
(Page 13). 



Re Claim 8: 
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Ma further discloses using color such as Red and Green to color the pattern Spikes and 
Pattern 1, Pattern 2, Pattern 3, Pattern 4 for specific mark layouts (Figs. 6, 7, 9-10). 
Ma discloses each display label includes different colors marking the events. 

Re Claim 9: 

Ma further discloses all events being uncovered as part of the pattern being clustered by 
the display label such as Red Spikes, Green Spikes (Figs. 6, 7 and 9-10). 

Ma discloses all events being discovered as part of the pattern as clustered by the 
different labels including Red Spikes and Green Spikes to indicate one of the plurality of events 
such as SNMP request, authentication failure, link up, link down, port up, port down, link down 
of host A, node down of host B etc, indicating the new primary attribute. 

Re Claim 10: 

Ma further discloses a data mining algorithm and GUI (Page 14). Ma discloses the 
mining algorithm carrying the steps as recited in the claim 1. 

Re Claim 11: 

Ma further discloses the program code being stored on data carrier (see page 5). Data 
carrier is inherent within the computer embodiment of Page 5. 



Re Claim 12: 
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Ma further discloses an event visualization device for monitoring events in a computer 
network (Page 3). The cited reference teach mapping a plurality of data attributes to item to 
identify correlations across different hosts and event types by using the mapping that maps the 
pair of event type and host name to item and leaves key empty. See Page 11. Moreover, the cited 
reference in Page 1, second paragraph, explicitly teaches the attribute values, see the last 
paragraph of Page 6 and the first and second paragraphs of Page 8, the last paragraph of Page 
12, and the real data set collected from a production computer network containing thousands of 
managed nodes including routers, hubs and servers are described in the last paragraph of page 
3 and identifying unknown event patterns that can be used for real-time monitoring is described 
in the second paragraph of page 3. 

Re Claims 13 and 15: 

Ma further discloses an implementation of the Event Miner algorithm on the computer 
(Page 4-5). 

Claim 14: 

The claim 14 is subject to the same rationale of rejection set forth in the claim 1. 
Claim 16: 

The claim 16 is subject to the same rationale of rejection set forth in the claims 2-4. 
Claim 17: 

The claim 17 is subject to the same rationale of rejection set forth in the claim 5. 
Claim 18: 

The claim 18 is subject to the same rationale of rejection set forth in the claims 2-4. 



* 
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Claim 19: 



The claim 19 is subject to the same rationale of rejection set forth in the claim 5. 



Claim 20: 



The claim 20 is subject to the same rationale of rejection set forth in the claim 1. 



Conclusion 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jin-Cheng Wang whose telephone number is (571) 272-7665. 
The examiner can normally be reached on 8:00 - 6:30 (Mon-Thu). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kee Tung can be reached on (571) 272-7794. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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